Online hosted services may use separate databases for each customer. Using separate databases provides data isolation, which is optimal for customer security and privacy because no customer has access to another's database. This data isolation comes at the cost of requiring very many databases that must be maintained separately. Each database will have an associated cost that is passed on to the client or borne by the host. Database costs can be reduced through data consolidation if multiple customers share the same database. However, using multi-tenant data storage opens the possibility of data leakage among customers.
A standard approach for building a multi-tenant data storage system is to horizontally partition the data using a unique identifier as a leading key in the database schema. All queries then use the identifier in a predicate. The queries should only retrieve data for the customer whose identifier is used. This approach exposes the risk that any query missing an identifier predicate may result in data being retrieved from multiple partitions. This data leakage may expose data from one customer partition to other unrelated customers on the multi-tenant service.